hxxps://www[.]unknowncheats[.]me/forum/downloads[.]php?do=file&id=35781&act=down&actionhash=1715541017-1c50b94a25f2d30c05e0e81a321abe8947ab6ede

Analysis

max time kernel
1799s
max time network
1688s
platform
windows10-2004_x64
resource
win10v2004-20240508-de
resource tags

arch:x64arch:x86image:win10v2004-20240508-delocale:de-deos:windows10-2004-x64systemwindows
submitted
12/05/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.unknowncheats.me/forum/downloads.php?do=file&id=35781&act=down&actionhash=1715541017-1c50b94a25f2d30c05e0e81a321abe8947ab6ede

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600151172654647"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
3312	chrome.exe
3312	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1248	1472	chrome.exe	82
PID 1472 wrote to memory of 1248	1472	chrome.exe	82
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 1120	1472	chrome.exe	83
PID 1472 wrote to memory of 684	1472	chrome.exe	84
PID 1472 wrote to memory of 684	1472	chrome.exe	84
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85
PID 1472 wrote to memory of 2724	1472	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.unknowncheats.me/forum/downloads.php?do=file&id=35781&act=down&actionhash=1715541017-1c50b94a25f2d30c05e0e81a321abe8947ab6ede
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb33deab58,0x7ffb33deab68,0x7ffb33deab78
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:2
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:8
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2288 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=928 --field-trial-handle=1948,i,18064350825166943876,5294489789555794077,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
6150f3b7194d626369b79976bbd37ac7

SHA1
8b09d990386234b5a53f7823bdc4e1e00d980bff

SHA256
55e7f7696d053e508de9e0031b5cf99339cee95d77cc9b671bef22351a562d0a

SHA512
0184fd3370e6626e0a217e8ed727be31f062915f61c55ca62ac88e8e07a593a6c12259754a95b15404abee57d6faac6e316b8f7a4d3ebb4bd4360dbf61d3292d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b28dfe741a34f7507fa7d50574f3aedc

SHA1
e18f0f6aaf8dc1990dc482825ad5d9cbaf160dd2

SHA256
aa771ce937e53c52b6a8cf761f391bf2d984fcabdde1d006744f0c2c0ac5d38a

SHA512
e17cf4288bb0b17cb7ae14a87d6e1f5c1a4b1a739e2b40568e3d1d90650ef1faac34729bab54202b2818fc0a174bc329838682f405557ab7fd9d311ee3de8730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d081a184e3cf8b93006e72fa51a3051b

SHA1
409f5cbf016e5d5ffbaca4e526ea99ee7236d74a

SHA256
5c4590d6753b8bfc8d772bbfb72365814441bfddc646ecbfd3071fb262e21179

SHA512
46d58f9cc4f9d034d88fabaf89ca21a0ece2c39ccef790e406bf91f248d8786695777b456dafcfd45e8e005ca512d5bd517f9243af03ac2f502c3f4a6a5bfae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d34bc5cd7f0f841dabdc8eaeec021670

SHA1
da41361b694d68ad1ebb45ee9399882c89a216cf

SHA256
cc35ab6388a4612b0a0414b7d28726851a02791839802f708aa5aa3b6c68c1bd

SHA512
793b19796f6cbbda845314a0b10fff1008d1f1f1bf75961cf8f4d10ec84b2d401456e1f31317c5757b7262c783a2f8b0f5f1c2982ebc82827f00678517bf8e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
6145ef11a7279349f77c6307d9328259

SHA1
9320bbc2b4b5c4ce2b64d3f629183651066001f5

SHA256
9511aabe92c1b52dd5ec28853abef605bed2aeb6c98fb658521766d82a6798c3

SHA512
8aa253d4dedbb7da233dd04e34ea03ff2e803fd9bc41448b0c3206cbe52e5c2312777df0ef34051189f77f65d7ece96baca18370c2d642c65e1de94654077763

Download Submit